S 2.371 Regulated deactivation and deletion of unused user accounts

Initiation responsibility: Personnel Department, IT Security Officer, Head of IT

Implementation responsibility: Administrator, Specialists Responsible

When a user account needs to be deactivated or deleted, it must be determined based on the documentation for the access authorisations which authorisations the account possesses in the IT environment and for which authentication procedures the account is needed.

Deactivating accounts

Unused user accounts can pose a security risk. For this reason, it is recommended to reduce the number of possible points of attack and deactivate these unused accounts. The higher the privileges these unused accounts possess (administrative accounts), the more important it is to delete them. For this reason, the infrastructure must be examined regularly for active user and administrative accounts that are not used any more. It is also important that such accounts are not used by more than one person. You must always be able to determine who has used which accounts at what times.

Deleting accounts

If a user account needs to be deleted, then it must be examined which access rights the user account has based on the documentation. Before deleting the account, it must be checked for which objects (for example file shares) the authorisations are set. After deletion, it must be ensured that the accounts and their security IDs have been removed from the access control lists (ACLs).

It must be ensured in this case that the operability of Windows Server 2003 is not restricted, for example due to the deletion of service accounts. When deleting administrative accounts, the rules for substitutes must take effect if the corresponding administrative tasks still exist. To accomplish this, a corresponding replacement account must be created and activated before the account is deleted. If you do not proceed carefully when deleting such accounts, it may become very difficult to restore the ability to administer the resources or restore access to them. For this reason, it may become necessary to deactivate the account first and only delete it after testing. A procedure for deleting user accounts should be defined in advance that specifies if the data created by the user will be kept and, if necessary, how it will be further used. Otherwise, under some circumstances it may only be possible to read the data after performing additional tasks (for example taking over ownership of the object by the administrator), or it may even be impossible to read the data. This applies especially to highly confidential or encrypted data (see safeguard S 4.278 Secure use of EFS under Windows Server 2003). Accordingly, you must determine which groups the user is a member of before deleting the account to ensure the user is not the only member of a group with administrative rights or resource permissions.

The steps stated above also present a challenge to the underlying organisational processes. This is described, along with other subjects, in safeguard S 3.10 Selection of a trustworthy administrator and his substitute.

The proper deactivation or deletion of user accounts as well as the corresponding time frames must be documented in a security policy for the IT system.

Review questions:

• Are Windows systems checked regularly for unused administrative and user accounts?
• With Windows systems, are unused user accounts deactivated immediately?
• With Windows systems, before a user account is deleted, is a check performed to determine which objects the account has permissions for?
• With Windows systems, are there procedures specified for keeping or further using the data of a user account after the user account is deleted?
• With Windows systems, are there administrative replacement accounts?